I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Chaouki Bekrar (center) and Vupen's team of hackers at the Pwn2Own hackathon in Vancouver in March. (Photo credit: Ryan Naraine)

This story appears in the April 9th issue of Forbes magazine.

At a Google-run competition in ­Vancouver last month, the search giant’s famously secure Chrome Web browser fell to hackers twice. Both of the new methods used a rigged ­website to bypass Chrome’s security protections and completely hijack a target computer. But while those two hacks defeated the company’s defenses, it was only a third one that actually managed to get under Google’s skin.

A team of hackers from French security firm Vupen were playing by different rules. They declined to enter Google’s contest and instead dismantled Chrome’s security to win an HP-sponsored hackathon at the same conference. And while Google paid a $60,000 award to each of the two hackers who won its event on the condition that they tell Google every detail of their attacks and help the company fix the vulnerabilities they had used, Vupen’s chief executive and lead hacker, Chaouki Bekrar, says his company never had any intention of telling Google its secret techniques—certainly not for $60,000 in chump change.

“We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”

Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who ­purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the ­explicit ­intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.

In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret. Bekrar won’t detail Vupen’s exact pricing, but analysts at Frost & Sullivan, which named Vupen the 2011 Entrepreneurial Company of the Year in vulnerability research, say that Vupen’s clients pay around $100,000 annually for a subscription plan, which gives them the privilege of shopping for Vupen’s techniques. Those intrusion methods ­include ­attacks on software such as Micro­soft Word, Adobe Reader, Google’s ­Android, Apple’s iOS operating systems and many more—Vupen bragged at HP’s hacking competition that it had exploits ready for every major browser. And sources familiar with the company’s business say that a single technique from its catalog often costs far more than its six-figure subscription fee.

Even at those prices, Vupen doesn’t sell its exploits exclusively. ­Instead, it hawks each trick to multiple government agencies, a business model that often plays its customers against one another as they try to keep up in an espionage arms race.

Bekrar claims that it carefully screens its clients, selling only to NATO governments and “NATO partners.” He says Vupen has further “internal processes” to filter out nondemocratic nations and requires buyers to sign contracts that they won’t reveal or resell their exploits. But even so, he admits that the company’s digital attack methods could still fall into the wrong hands. “We do the best we can to ensure it won’t go outside that agency,” Bekrar says. “But if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.”

That arms-trade comparison is one Vupen’s critics are eager to echo. Chris Soghoian, a privacy activist and fellow at the Open Society Foundations, calls Vupen a “modern-day merchant of death,” selling “the bullets for cyberwar.” After one of its exploits is sold, Soghoian says, “it disappears down a black hole, and they have no idea how it’s being used, with or without a warrant, or whether it’s violating human rights.” The problem was starkly illustrated last year when surveillance gear from Blue Coat Systems of Sunnyvale, Calif. was sold to a United Arab Emirates firm but eventually ended up tracking political dissidents in Syria. “Vupen doesn’t know how their exploits are used, and they probably don’t want to know. As long as the check clears.”

Vupen is hardly alone in the exploit-selling game, but other firms that buy and sell hacking techniques, including Netragard, Endgame and larger contractors like Northrop Grumman and Raytheon, are far more tight-lipped than Bekrar’s small firm in Montpellier, France. Bekrar describes his company as “transparent.” Soghoian calls it “shameless.”

“Vupen is the Snooki of this industry,” says Soghoian. “They seek out publicity, and they don’t even realize that they lack all class. They’re the Jersey Shore of the exploit trade.”

High-end exploit broker "the Grugq" at a Bangkok bar. The bag of cash at his feet is for one of his exploit developers. (Photo credit: Christopher Wise/Redux)

Even so, Bekrar won’t share revenue numbers, though he insists the firm is profitable. One person who will share those sales numbers is a South African hacker who goes by the name “the Grugq” and lives in Bangkok. For just over a year the Grugq has been supplementing his salary as a security researcher by acting as a broker for high-end exploits, connecting his hacker friends with buyers among his government contacts. He says he takes a 15% commission on sales and is on track to earn more than $1 million from the deals this year. “I refuse to deal with anything below mid-five-figures these days,” he says. In December of last year alone he earned $250,000 from his government buyers. “The end-of-year budget burnout was awesome.”

But the Grugq assesses Bekrar’s startup, which generates all its own exploits, as significantly more lucrative. “He’s pretty f—ing smart,” says the Grugq. “He holds all the cards. He can tell his clients to buy at the price he’s ­offering, or someone else will.”

Despite his talk about “transparency,” Bekrar won’t say much about his personal history or career prior to founding Vupen—not even his age. But Vupen is his third try at a startup focused on digging up software-security bugs. His previous companies, K-Otik and FrSIRT, made their bug findings public. Even after founding Vupen (whose name stands for “vulnerability research” and “penetration testing”) in 2008, Bekrar and his researchers initially worked with some software vendors to patch their flaws. But after taking $1.5 million in venture capital from 360 Capital Partners and Gant & Partners, Bekrar found that the firm could earn far more by keeping its findings under wraps and selling them at a premium.

Lately Bekrar goes so far as publicly taunting the companies whose products he hacks. In May 2011 Vupen released a video showing that it could penetrate a machine running Chrome but offered no further information to Google. When Google responded that Vupen’s exploit targeted the Flash ­plug-in that runs in the browser rather than Chrome itself, Bekrar accused the company on Twitter of downplaying its vulnerabilities and called it “pathetic.” Google security staffers responded by scolding Bekrar for disregarding users’ privacy and called him an “ethically challenged ­opportunist.”

Bekrar shrugs off the insults. “We don’t work as hard as we do to help multibillion-dollar software companies make their code secure,” he says. “If we wanted to volunteer, we’d help the homeless.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Scott, Bekrar didn’t share the details of his hacking techniques with me. He only mentioned the fact that he possesses them (which was confirmed at the hacking competition.) The valuable information is very technical and specific. That’s what Vupen sells, and it’s very possible it does get more than a million worth of revenue from some similar exploits.

Frankly this might help reduce the trend of treating all customers at beta-test sites rather than spending the time in advance to prevent or reduce security errors.

Software development policy now seems to be ‘lets shove this out the door, the early adopters will let us know where the errors are, and once they do, we’ll fix them then.’

While Vupen is clearly showboating, it illustrates the value of the flaws, such that offering $60,000 to good Samaritans clearly undervalues their work. But there’s nothing price won’t fix, so Google et. al. just need to either pony up larger reward sums, or do better in house evaluation before release.

I bet if Google had paid $600,000 to each of the hacker who won, that would attract a lot more attention from freelance security experts than $60K does.

my best friend’s mother makes $72/hour on the computer. She has been fired for seven months but last month her pay check was $21840 just working on the computer for a few hours. Read more on this web site read m a k e ca s h 4 .c o m

Where are all the CrApple iFad 3 Media Hack pimping Stories???? Notice how they’ve all dried up suddenly since iFads are roasting your chessnuts boys and gals ……. you know. I suspect all the CrApple Media Hacks at Forbers have been told to shut up to the HEAT blows over.

The exploit they found in Chrome was in the third party add on..most probably Adobe Flash. So they DID NOT FIND ANY SECURITY HOLE as they claim. Google will not give $1million if they beg with this claim. Over hyped technology engineers that is what they are nothing more..Andy I suggest you write articles about legitimate hackers not kids.

Why doesn’t Google just sign up for these vulnerability newsletters themselves, to make sure their customers can surf the web safely? Either they pay for this information that they know is there, or they leave their product open to potential exploits. In any case, what they’d pay for learning about these exploits is probably an order of magnitude cheaper (and faster) than a full software security testing of every line of code in Chrome.

Rune, Google does pay for exploits–as much as $3,133.70 typically and $60,000 in the Pwnium contest. But they can’t compete with the prices paid by buyers who use the exploits for offense rather than defense. Remember that the subscription fee I mentioned above doesn’t include the price of the exploits themselves.

I understand that Google doesn’t want to pay market prices. I think my point still stands though. Either Google pays market prices (subscription fee plus at least $150k per exploit), or they let their customers be open to attacks. I think I’d consider paying for a browser where the vendor chose this strategy. According to various sources (from Wikipedia) Google has 24% share in the browser market. If we assume there are 500 million Internet users with PCs then there are approximately 120 million Google Chrome users. If 1% of Google Chrome users are willing to pay a small fee to Google for buying vulnerability information, then – assuming an average exploit price of $300k – they would effectively pay $0.25 per exploit. I’d be willing to pay that.

If ‘fighting for freedom’ can mean invading a country, installing a puppet democracy and slaying hundreds of your men in the process for cheaper access to oil, then why not selling invasive technology?

Offensive technology will always be needed, better it be controlled by firms like these than being sold individually in black markets.

Its the possession of offensive technology like nuclear weapons, that has nullified the possibility of another world war.